Re: Changes in IDS Companies?

["Dominique Brezinski" <dom () decru com>]

For a smart-ass response, see below....

----- Original Message -----
> From: <detmar.liesen () lds nrw de>
> To: <focus-ids () securityfocus com>
> Sent: Monday, November 11, 2002 11:40 PM
> Subject: AW: Changes in IDS Companies?


<snip>
> I don't have enough practical experience to tell if the following idea is
good,
> but I suggest using a GIDS as a protecting device with just the most
important
> signatures that are knownt to reliably detect/block those attacks we fear
most:
> -worms
> -trojans/backdoors
> -well-known exploits

I hate to state the obvious, but if we know enough about these threats to
write a signature to detect them, then we know enough to re-configure our
systems to be immune to them.  Having a GIDS protect against such things
just leads to a false sense of security.

> Additionally, NIPS vendors should always maintain a list of those most
common
> and most dangerous attacks that also gives information about known
> false-positives for these signatures.

Yeah, so we can patch or re-configure or systems to be immune to
vulnerabilities and not use their products ;>

On a good day signature-based NIDS cost organizations money to run for no
actionable return....On a bad day they leave the organization feeling secure
when they are not.

Dom